Encrypted password question

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












I noticed in the html of my router this parameter:



form.addParameter('Password', base64encode(SHA256(Password.value)));



So when I type in the password passw I get this via sslstrip:



2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D


Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?










share|improve this question









New contributor




MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    up vote
    1
    down vote

    favorite












    I noticed in the html of my router this parameter:



    form.addParameter('Password', base64encode(SHA256(Password.value)));



    So when I type in the password passw I get this via sslstrip:



    2018-09-25 21:13:31,605 POST Data (192.168.1.1):
    Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D


    Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
    Also, is there some faster way of getting this password than cracking it?










    share|improve this question









    New contributor




    MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I noticed in the html of my router this parameter:



      form.addParameter('Password', base64encode(SHA256(Password.value)));



      So when I type in the password passw I get this via sslstrip:



      2018-09-25 21:13:31,605 POST Data (192.168.1.1):
      Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D


      Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
      Also, is there some faster way of getting this password than cracking it?










      share|improve this question









      New contributor




      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I noticed in the html of my router this parameter:



      form.addParameter('Password', base64encode(SHA256(Password.value)));



      So when I type in the password passw I get this via sslstrip:



      2018-09-25 21:13:31,605 POST Data (192.168.1.1):
      Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D


      Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
      Also, is there some faster way of getting this password than cracking it?







      encryption passwords






      share|improve this question









      New contributor




      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 2 hours ago









      schroeder♦

      65.4k25139176




      65.4k25139176






      New contributor




      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 hours ago









      MyWays

      82




      82




      New contributor




      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.



          An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.






          share|improve this answer




















          • Only trivial if the password is common.
            – zaph
            1 hour ago






          • 1




            I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
            – ThoriumBR
            53 mins ago










          • Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
            – zaph
            7 mins ago


















          up vote
          2
          down vote













          I URL decoded it, then decoded it from base64, then passed it to an online hash database.



          The result was:



          Hash Type Result
          e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw





          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            MyWays is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194460%2fencrypted-password-question%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.



            An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.






            share|improve this answer




















            • Only trivial if the password is common.
              – zaph
              1 hour ago






            • 1




              I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
              – ThoriumBR
              53 mins ago










            • Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
              – zaph
              7 mins ago















            up vote
            3
            down vote



            accepted










            It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.



            An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.






            share|improve this answer




















            • Only trivial if the password is common.
              – zaph
              1 hour ago






            • 1




              I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
              – ThoriumBR
              53 mins ago










            • Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
              – zaph
              7 mins ago













            up vote
            3
            down vote



            accepted







            up vote
            3
            down vote



            accepted






            It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.



            An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.






            share|improve this answer












            It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.



            An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 hours ago









            ThoriumBR

            17.7k44264




            17.7k44264











            • Only trivial if the password is common.
              – zaph
              1 hour ago






            • 1




              I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
              – ThoriumBR
              53 mins ago










            • Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
              – zaph
              7 mins ago

















            • Only trivial if the password is common.
              – zaph
              1 hour ago






            • 1




              I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
              – ThoriumBR
              53 mins ago










            • Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
              – zaph
              7 mins ago
















            Only trivial if the password is common.
            – zaph
            1 hour ago




            Only trivial if the password is common.
            – zaph
            1 hour ago




            1




            1




            I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
            – ThoriumBR
            53 mins ago




            I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
            – ThoriumBR
            53 mins ago












            Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
            – zaph
            7 mins ago





            Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
            – zaph
            7 mins ago













            up vote
            2
            down vote













            I URL decoded it, then decoded it from base64, then passed it to an online hash database.



            The result was:



            Hash Type Result
            e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw





            share|improve this answer


























              up vote
              2
              down vote













              I URL decoded it, then decoded it from base64, then passed it to an online hash database.



              The result was:



              Hash Type Result
              e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw





              share|improve this answer
























                up vote
                2
                down vote










                up vote
                2
                down vote









                I URL decoded it, then decoded it from base64, then passed it to an online hash database.



                The result was:



                Hash Type Result
                e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw





                share|improve this answer














                I URL decoded it, then decoded it from base64, then passed it to an online hash database.



                The result was:



                Hash Type Result
                e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw






                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 53 mins ago

























                answered 2 hours ago









                schroeder♦

                65.4k25139176




                65.4k25139176




















                    MyWays is a new contributor. Be nice, and check out our Code of Conduct.









                     

                    draft saved


                    draft discarded


















                    MyWays is a new contributor. Be nice, and check out our Code of Conduct.












                    MyWays is a new contributor. Be nice, and check out our Code of Conduct.











                    MyWays is a new contributor. Be nice, and check out our Code of Conduct.













                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194460%2fencrypted-password-question%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke